From Stress to Success: Prepare for External Quality Assessments

In 2024, the Institute of Internal Auditors (IIA) issued the Global Internal Audit Standards which now require internal audit departments to undergo an external quality assessment (EQA) every 5 years. The purpose of the assessment is to measure the effectiveness of the Internal Audit function at the organization as well as its conformance to the new Standards. There are several activities that the CAE and Internal Audit Team can do to prepare for the EQA and ensure an efficient and effective Assessment:

1. Understand the Standards. It’s important to familiarize with the structure and content of the new Standards. There are 15 Standards organized into 5 domains and there are specific requirements and criteria within each standard that must be met to achieve General or Full Conformance.
2. Conduct a Self-Assessment. According to Standard 12.1, the CAE must develop and conduct internal assessments, including periodic self-assessments. A self-assessment is an effective method to identify potential gaps in conformance to the new standards. Self-assessments should evaluate the adequacy of the internal audit’s methodologies, how well the internal audit function supports the overall organization’s objectives, the quality of services performed, and the degree to which stakeholder expectations are met and performance objectives achieved. Results of the internal assessments should be reviewed by the Board of Directors and/or governing body, and should be actioned on and addressed prior to the EQA. The results of the assessments and actions taken are also reviewed by the external assessors as part of the EQA.
3. Review the Internal Audit Charter. The internal audit charter is the governing document of the Internal Audit function and is typically approved by the Audit Committee and/or Board of Directors. The Standards require the Charter to be reviewed on a periodic basis and should include several key items:

• • The purpose and mission of the Internal Audit Function
  • Commitment to adhering to the Global Internal Audit Standards
  • The Internal Audit authority and organizational structure, including reporting relationships
  • The key responsibilities and tasks of the Internal Audit function
  • Safeguards to Independence and Objectivity
  • The Board/Committee’s responsibilities and expectations of the Internal Audit function, as well as Management’s support of the function
  • Administrative responsibilities, such as processes for approving the Internal Audit’s budget, reviewing performance, and internal and external assessments

It is prudent to review the Charter with the Committee chair in conjunction with the requirements outlined in the Standards. The CAE should propose and review the changes with the Board/Committee and obtain documented approval prior to the EQA.

4. Gather and organize documentation. There are several key documents that the external assessors will request at the beginning of the Assessment. During the Assessment kick-off meeting, the Assessors will provide a data request list to get started and understand the governance of the IA function. These documents are typically requested prior to selecting a sample of engagements and related audit workpapers for testing. It is important to have these documents readily available to send so there is no delay in the Assessment. Initial document requests include, but are not limited to:
   • Internal Audit Charter
   • Internal Audit Plans for the previous 5 years
   • Internal Audit Methodologies, including planning, risk assessment, communication, monitoring, management action plans, and conducting engagements
   • QAIP (Quality Assurance and Improvement Program) and any related results
   • Internal Audit Strategy
   • Risk Management policies and procedures
   • Organizational Chart and policies
   • Internal Audit-specific training requirements and methodologies for staff development
   • Any reports provided by the CAE to the Board, Audit Committee, or senior management for the past year

It can take substantial time and effort to collect these governance documents, especially gathering any reporting and communication or minutes with the Board or Audit Committee. Therefore, it’s important to get a head start in gathering the list of documents prior to the Kick-Off of the EQA.

5. Be Positive! The External Quality Assessment is meant to provide enhancement to the Internal Audit function. It is not intended for policing the IA team or undo criticism. The Standards offer flexibility and interpretation based on the size and maturity of the Internal Audit function at each organization. The Assessment includes ratings of conformance for individual Standards as well as each Domain and for the IA function. For ratings less than general conformance, be sure to ask your assessors for best practices to achieve a better rating in the future.

An External Quality Assessment can be overwhelming, especially for a small or less mature Internal Audit Team. However, there are several quick wins that each IA function can do, regardless of maturity or size. Being prepared and willing to collaborate with your external assessors on best practices are the keys to success.

Author

Bridget Cooper
Director, Business Advisory Solutions
BCooper@eliassen.com
https://www.linkedin.com/in/bridget-cooper-cpa-29a01b16/